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"METHOD OF SENDING AND VALIDATING DOCUMENTS" 

— ^> pi*U OpIM J^vuforjjCfa * above- ckoovito^c/ 

This invention is in Reference to the a bowdncror i bc d method, and makes it impossible to 
5 make a fraudulent copy of a document. As is explained below, the method to be 
outlined in greater detail herein offers several advantages. 

Although this report specifically deals with those cases where the documents to be 
obtained are tickets, the method introduced by said invention can also be applied to 
1 0 other, more general, types of document, as will be explained further on. 

Today it is possible to order or book many different types of ticket, sucli as plane 
tickets, train tickets, admission tickets to shows, etc. through telesales systems. Said 
tickets can be paid for in several different ways, by credit card or by charging the cost to 
1 5 a bank account, or an account in a similar institution. 

Nevertheless, to collect tickets purchased in this way, these must be sent to the 
purchaser by post or using a messenger service, meaning increased issuing costs and an 
inconvenience for the user, in the event these have to travel to pick ihem up. 

Until now, tickets have been delivered in this way principally because the authenticity 
of this type of document is based on a certain characteristic or the support used (the 
paper) or the printing method to make these more difficult to falsify. This means that 
the user cannot obtain a printed copy of the document in question. 

As an alternative to this method, the abovementioned technique proposes several 
different systems for remotely sending tickets, and a brief summary of these is given 
below. 

"iO The first system is the one described, to a greater or lesser degree, in documents n" 
WO01/61577 A2, WO00/74300 Al, WO00/45348, WO200161577, WO2000744300, 
WO200045348 and US5598477, and is principally based on coding the data considered 
relevant and then encrypting this, using asymmetric or symmetric key techniques, the 
result of this encoding is then printed as a barcode or similar so that it can be 

IS automatically checked "when being validated. This system makes it impossible for 
anyone who does not know the encryption key to generate tickets (in the event 
asymmetric key cryptography is used, this would refer to the secret key o the 
algorithm). However, one disadvantage of this method is that it is possible to obtain 
copies of a ticket that has already been sent and, as a result, it is necessary to use othe. 

40 additional security measures, such as the on-line control of validated tickets, the 
inclusion of verifiable personal data (National ID Number, passport, or other) in the 
encrypted code (in the ease of those tickets that include a fixed dale or place ol use), etc. 
The system is especially inefficient in the ease of tickets that can be used on a wide 
range of dales, such as hotel vouchers, public transportation tickets, ete. and in places 

45 where there is great many people trying to gain admission, as the time needed to check 
the identity of the holder would create serious inconvenience, for all ol the above 
reasons, this system is not widely used in practice. 

Another possible system is the one described, to a greater or lesser degree, in documents 
50 u" EP0969426 Al, EP0S29828 A, El'969426, JIM 1306397, EP3093I8 and others, and is 



Vitrei ^awu^ i$,Z002. tyf\<k\-tkl ^rfo^W C&Kyjtffi"- 



2 



10 



15 



based on recording the ticket information on a device such as a smart card. As the 
recording device (card) allows the use of cryptographic techniques or mm 
identification and makes it extremely difficult to violate the information stored thercm, 
it is practically impossible to duplicate the ticket, thus guaranteeing there is no nunc 
than one. Therefore, it is not necessary to carry out on-line control to validate the ticket 
nor it is necessary to identify the holder when the ticket is to be used. Nevertheless, one 
disadvantage of this system is thai the user is required to have a smart card recording 
peripheral in their house, making the system extremely costly to use, which is why U is 
rarely employed in practice. 

An alternative to these systems for remotely sending tickets is proposed by the new 
method introduced by this invention, and this solves all the problems related with olhei 
known systems. The invention proposes a new method for obtaining documents (lo. 
example, tickets) generally at the user's home and their later automatic ^.datioiv 
Thanks to the new method introduced by this invention it impossible to make a 
fraudulent duplicate of any ticket (thus guaranteeing there is no more than one) and 
makes it unnecessary for the user lo have a smart card reader/recorder, thus making the 
system more flexible and less costly. 

20 The method introduced by this invention uses cryptographic techniques along with 
portable verifier devices which can process and store information and which olic a 
high level of protection against unauthorized readers and writers and make it vciy 
difficult to make fraudulent copies. 

25 The most appropriate portable verifier devices arc smart cards. 

Although, theoretically speaking, it is more appropriate to use public key cryptography 
to obtain authentication codes (as this means it is not necessary to store secret keys 
during the validation stage), the codes will be considerably larger than necessary in size 

10 if secret key (symmetric) cryptography is used. If the document is not lo be printed but 
presented in another formal (magnetic, optical, electronic support, etc.) tins has no 
particular relevance. However, in the event the document is to be printed, the lact the 
authentication code is to be read automatically makes it necessary lo use dot codes, 
which means more expensive apparatus will be required to read them, l or this reason, 

15 and lo facilitate printed support, the use of symmetric key cryptography is prclerable. In 
contrast, it is necessary to use secure key storage devices, generally security 
^_ microprocessors, in the verifiers. 

^r»?nfeJOTo*^c,y *» «. *-* 

40 generally through Internet from a browser) and validate these using automatic rcade.s 
(generally barcode readers), which can read/write in Ihc portable vernier devices 
(generally smart cards). To improve reading speed, sturd.ness and versatility it is 
recommended that no direct contact be necessary when using a portable ver.I.e. device. 

45 The elements involved in the entire process of the invention arc as follows. 

- The portable verifier device sender: this is in charge of providing the portable 
verifier devices necessary lo validate the documents. 

- The portable verifier device operator: this encrypts the document to be decrypted 
50 by the portable verifier device. 
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In order to carry out this function, the corresponding keys must be loaded into 
,he portable verifier device. A portable verifier device can support several pwlabte 
verifier device operators. A portable verifier dcv.ee operator may coincide with a 
norlablc verifier device sender. 

' A document portal: this is in charge of providmg the interlace ncccssa y 
sclect and, where applicable, purchase a document. Once a documcn l as bee 
selected, the portal sends the appropriate data to a reader operator so ^ , l ^» 
be encrypted using the key of the group of readers/venfiers/recorders in eha.gc 
of validating the document. ,i„,. 1U nt,.H 
. A reader operator: this is in charge of encrypting the document to b dc y ^ 
by the abovemcntioncd group of rcadcrs/venfiers/rccorders. A .cade, opualoi 
may coincide with a portal. , 
. A rcadcr/verifier/rccordcr: this reads the document's 

transmits this to the portable verifier dev.ee, receives the response, ^deu>pU c 
reader operator using the corresponding code and validates o« .ejects the 

- ApoSe verifier device: .his receives the document's authentication code 
Jlsmnled by the reader/verifier/recorder), and, provided th.s has not been 
cancelled beforehand, decrypts the portable verifier device operators vising he 
20 corresponding code, includes this in the list of cancellations and sends the results 

of the decryption to the rcader/verificr/recorder. 
The method for sending and validating documents introduced by th.s invention is 
carried out using authentication codes and portable verifier elements which can process 
and store information and which offer a high level of protection against unauthorized 
25 readers and writers. 

The inventive method is characterised in that the aforementioned authentication code is 
generated specifically for a particular portable verifier and is indicated directly or 
indirectly by the person requesting the document. In th.s way, no data record ol any 
10 type is required in the portable verifier element up to the point at which the document is 
validated. Il is essential, however, thai the portable verifier be actively involved m the 
validation, said portable verifier containing a stored list of validated documents such 
that it is possible to determine at least, whether or not this is the first validation. 

^^^ftclr^^ is comprised of the following 

phases: 

- The document is generated from a document portal and the data considered 
relevant is coded using the key that corresponds to the group ol 

40 readersAeriflers/reeorders involved in the validation of the document, so that the 

first cryptographic operation can be carried out. Linked to the fust one, there is 
another second cryptographic operation which includes the key corresponding to 
the portable verifier device associated with the document, and, as a result ol 
these cryptographic operations, an authentication code is created lor the 

45 document and is incorporated therein; and 

- The document is checked by reading its authentication code, and the appropriate 
third cryptographic operations are carried out to verify those already employed 
to generate the document. It is essential, however, that the portable verifier 
device associated for the validation of the document be actively mvolved, and 
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said portable verifier should contain a list of validated documents such that it is 
possible to determine, at least, whether or not this is the first validation. 

In accordance with the design of the invention, the portable verifier devices can be 
individualized by storing one or more portable verifier device keys, which must be a 
symmetric or secret key encryption algorithm. In addition, the first and second 
cryptographic operations arc made up of two encryptions using a symmetric 
cryptographic algorithm, one with the key of the group of readers/ vcr.ficrs/recordu 
involved in the validation of the document and the other with the key that corresponds 
to the portable verifier device associated with the document. The third cryptographic 
operations consist of decrypting, by the portable verifier device using its corresponding 
key, of the document's authentication code and the subsequent decryption, earned o 
by the aforementioned rcader/verifier/rccorder and its corresponding code, Uoth 
decryptions will be effected through symmetric "W^P 1 ™ ^J^'JJj^J 

Ideally, the portable verifier devices should fit individualized by storing one or more 
portable verifier device keys, which must be he secret keys of an asymmetric or public 
Ley cryptographic algorithm. The atoved^d fust and second cryplog a 
operations are based on public key cryptography, which ,s composed of dig ta 
signature with a secret key, and the readers/verifiers/recorders involved m the va d t on 
of the document will know its corresponding public key, and 
corresponding public key of the portable verifier device associated with the document 
The third cryptographic operations will be based on public key cryptography composed 
of a decryption using the secret key corresponding to the portable vcnfici device 
associated with the document and the verification of the signature, with the 
corresponding public key stored in the readcrs/verificrs/recoiders. 

Alternatively, the portable verifier devices can be individualized by storing one or more 
portable verifier device keys, which must be the secret keys of an asymmetric or public 
key encryption algorithm. The abovefcescribed first and second cryptographic operations 
are based on public key cryptography which is composed of an encryption using the 
public key of the rcaders/vcrifie.s/.ccorders involved in the validation of the document 
and an encryption using the public key corresponding to the portable vender device 
associated with the document. The abovcnicntioncd third cryptographic operations will 
be based on public key cryptography composed of a decryption using the secret key 
corresponding to the portable verifier device associated with the document and a 
decryption using the secret key of said readers/verillers/iecordcrs. 

This invention also offers the possibility of individualizing the portable verifier devices 
by storing one or more portable verifier device keys, which must be the public keys o 
an asymmetric or public key cryptographic algorithm. The (list and second 
cryptographic operations are based on public key cryptography which is composer! u a 
digital signature using a secret key corresponding to the public key stored in he 
readers/verilicrs/recorders involved in the validation of the document and am. e 
digital signature using the secret key corresponding to the appropriate individual zal . 
key stored in the portable verifier device associated with the document 11k 
abovemenlioned third cryptographic operations will be based on pu he ^ key 
cryptography composed of the verification or the signature by the portable xu.hu 
device associated with the document with the appropriate md.vidual.zal.on key and a 
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second verification of the signature using the public key of the 
rcadcrs/vcrificrs/recorders. 

Another alternative way to individualize the portable verifier devices is by storing one 
5 or more portable verifier device keys, which must be the public keys of an asymmetric 
or public key cryptographic algorithm, and the first and second cryptographic 
operations are based on public key cryptography which is composed of an encryption 
using the public key corresponding to the secret key stored in the 
rcadcrs/vcrificrs/recorders involved in the validation of the document and a digital 
10 signature using the secret key corresponding to the appropriate individualization key 
stored in the portable verifier device associated with the document. The third 
cryptographic operations will be based on public key cryptography composed of the 
verification of the signature by the portable verifier device associated with the document 
using the appropriate individualization key and a decryption using the secret key 
1 5 corresponding to the roaders/vcrificrs/recordcrs. 

In addition, before the validating the document, the method introduced by the invention 
also checks that this has not already been included in the list of validated documents. 

20 What's more, the icader/verificr/iecorder will he informed if the document to be 
validated has already been included in the list of validated documents, so that it can 
proceed as appropriate. 

The document to be validated will then he included in the list of validated documents, 
?5 provided it docs not already appear therein, and the corresponding cryptographic 
operation will he carried out when reversing and/or checking the cryptographic 
operation corresponding to the portable verifier device, and the result will be sent to the 
roader/verifier/recorder so that it can proceed as appropriate. 

30 One advantage is that the cryptographic authentication established between the portable 
verifier device and the roadcr/vcri tier/recorder is both mutual and firm. 

One fact of particular importance is that a cooperative and random session key is 
established between the portable verifier device and the rcaclcr/vonl.er/recordor and tins 
35 is used to encrypt all pertinent messages between the two. 

Ideally senders should individualize the portable verifier devices using one or more 
keys obtained from the encryption of the serial number using one or more masle. keys 
chosen by the portable verifier device operators, so that the master key ol cad, operate, 
40 and the portable verifier device correspond s with the identifier, which should be legible 
by the user. 

In accordance with this invention, the abovemenlioned readcr/verifier/rceordcr has been 
adapted to send information, accepting or rejecting the document and stating the .ease. 
45 why. 

Another advantage of .his method is that the reader/verifier/recorder keys are common 
to the group of readers. 
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The keys stored in the rcaders/vcriner.s/rccordcrs arc obtained by encrypting the 
identifiers, or parts of these, using the master keys chosen by the operators. 

In the event the document has an expiry date, this will be included in the authentication 
5 code, so that they can be eliminated from the lisl of validated documents stored in the 
portable verifier once this date has passed. 

On the other hand, said portable verifier devices receive the date expired documents are 
to be deleted from the list of validated documents through a digital certificate sent by a 
10 competent body. 

The document and/or authentication code can be selected and obtained through Internet 
and the document's authentication code can be sent to the user's mobile phone or 
electronic agenda, or indeed any similar device belonging to the user. 

Another characteristic of the invention is that it is possible to print the authentication 
code through one or more barcodes. In the case of several barcodes, these will include 
the correct reading order. It will also be possible to print the authentication code 
alphanumerically or through a dot code. The authentication code can be printed 
20 alphanumerically so that this can by keyed in manually in the event the automatic 
reading code deteriorates. 

The method described guarantees the documents are unique and authentic. The 
encryptions of the authentication codes is carried out using two secret keys, which 

25 ensures authentic documents cannot be generated externally. The document can be 
made unique by associating one of the encryptions with the portable verifier device. In 
the event the document is duplicated by a system, no result will be obtained, as once the 
portable verifier device has validated the document it will not revalidate this. Ihus, to 
be able to use a copy it would also be necessary to duplicate the portable verifier device, 

30 which is impossible due to its characteristics. 

On the other hand, it is also possible to cancel documents without needing to send black 
lists to the rcader/veriilcr/recorder. In order to cancel a document, the holder has to take 
the document in question and the portable verifier device to an authorized ollicc. I he 
IS document will then be entered as cancelled in the portable verifier device in such a way 
that, should the purchaser have kept a copy of the document, he will not be able to use 
this, as the portable verifier device will no longer validate it. 

If we wish to avoid overloading the storage capacity of the portable verifier device, the 
following should be borne in mind when including lists of cancelled documents. 
Documents that expire should include an expiry date in the authentication code, so that 
once they are out of date, they can be eliminated from the list and no longer take up 
space The portable verifier devices should incorporate an administrator lor residual 
cancellations to detect expired documents and clear the lists after the dale obtained (ram 
4S a certificate provided by the reader/verifier/recorder. The date is obtained from a centra 
server that certifies this through a public key system. This certificate, which may be sent 
just once a day, is sent to the portable verifier device which, alter verifying its 
authenticity, eliminates the documents that have been cancelled, according to he 
certified dale from the lisl. Needless to say, an expired document will never be accepted 
50 as valid. 
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This is a universal system that can be used by many different services (admissions 
tickets, transport tickets, season tickets, vouchers, cheques, lottery tickets, etc.), several 
Internal portals, and several portable verifier device operators. Although this system is 
especially useful in the case of printed format, it can be also be used with other different 
types of format, such as diskettes, storage on mobile telephones, portable electronic 
agendas or similar, Bluetooth cards, optical discs, CDs, etc. 

The alternative used in the case of mobile telephones and electronic agendas is 
particularly interesting, as it is possible to send the document's authentication code to 
the purchaser's mobile phone through an SMS text message or using WAP technology, 
and when the document is to be used, the purchaser can download this in the 
rcaderA'crifier/iccordcr using an infrared link, radio link (for example, Bluetooth or 
SMS, etc.) or another similar system. 

In this case, as indicated above, there is no restriction on the length of the barcode, 
which means that public key cryptography can be used without any problems. 

Underneath is a description of how public key cryptography can be used to generate the 
20 authentication code. 

First of all, it is necessary to select the relevant information, code it and digitally sign it 
using the secret key of the appropriate reader operator (the reader/ veri fier/rccorder 
responsible for checking the corresponding public key is stored in the document). 

?5 

'then, the result of the previous operation is encrypted using the public key of the 
portable verifier device associated with the document (the portable verifier device 
charged with validating the document has the corresponding key secret stored inside). 

30 The verification process is explained below: 

The authentication code is read and transmitted to the portable verifier device, which 
decrypts this using its secret key and introduces it into the list of validated documents 
(in the event this document was already included on the list, the reader/venller/recorder 
35 will be notified). 

Said reader/verifier/recorder receives this decryption and checks the validity of the 
signature using the public key of the reader operator that generated the authentication 
code. If the signature is correct, it accepts the document and, if not, the document wdl 
40 be rejected. 

There are four possible combinations when using public key cryptography lor this 
purpose and these are the encryption (signature) as explained above, signature 
(signature) encryption (encryption) and signature (signature). It should be noted that, 
45 although all four options are possible, ideally the first should be used, as »t minimizes 
the risks of attacks on the system. Specifically, it makes the secret key ol the reader 
operator unnecessary and prevents the content of the security code from being read. 

Another advantage offered by the method presented by this invention is that it is 
50 possible to generate documents of a determined type or service iof the portable venher 
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devices of different operators. Thanks to this functionality, it is possible for several 
different portals associated with different operators of portable verifier devices to 
generate documents for the same service. 

5 In addition this invention ensures thai the different services and portable verifier device 
operators cannot affect the operation and security of other services and operators for 
which they have not been given authorization. What's more, the user can remain 
anonymous and the system can be used by anybody with an appropriate > -programmed 
smart card (portable verifier device), but docs not require personal identification of the 

1 0 user (only the card has to be identified and this can be impersonal and transferable). 

One especially important aspect of the method described is that it can be easily 
implanted with the current ticket issuing systems. 

15 The method for sending and validating documents of this invention can be used for 
lot^SSfcrent types of document in many different services and .ppl.cat.ons. Some 
examples of the different types of document are admission tickets into cinemas, 
fteates shows etc. where an extra service, for example parking, can be contracted. 
Tickets 'for trains, buses, ships and any form of transport in general where there is a 

20 specific date to travel and a ticket inspector (not a boarding card), plane tickets, where a 
boarding card is necessary, hotel vouchers and vouchers for admission to festivals, etc. 
when neither the date nor the place have been specified beforehand, season tickets lor 
city transport, for example by subway, bus, local or suburban train when neither the dale 
nor the period have been specified beforehand, vouchers for sales promotions, cheques, 

25 loltery tickets, etc. 

Underneath is an explanation of how the method introduced by this invention should 
preferably be carried out. 

30 We arc going to look at one specific case in which there is only one sending card 
operator, which also functions as a reader operator. In addition, the system is used to 
sell tickets over the Internet to be later printed in the client's home using a standard 300 
dpi printer. 

35 MIFARii 1'roX cards are used as portable verifier devices and these have been 
personalized using a key obtained by encrypting the serial number of each card using 
HHS Triple with a master key. Thus, it is not necessary to save the correspondence 
between Hie serial number and the card key in a database. The entire protocol lo be 
maintained wilh the rcadei /verifier/recorder is programmed in the cards and these arc 

40 also given a list of cancelled tickets with the method for eliminating the expired tickets 
from the list by inserting a date certificate in the card. The cryptographic coprocessor of 
the card is especially indicated for this task. Once the cards have been personalized, 
they arc provided to the system users. 

45 The holder of each ticket can then connect lo the ticket portal they wish, normally 
selecting the one that interests them, and use any one of the methods ol payment 
accepted by the portal in question. Once the portal decides the transaction is valid, it 
sends the data lo be incorporated into the ticket's authentication card (a supposed value 
of 128 bits more than enough for almost all applications) lo the card and reader 

50 operators, which in this case would be the same. It also sends the purchaser's card 
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identifier and (he identifier of (he group of reader? in charge of verification so that the 
appropriate keys can be selected. The transmission is carried out via Internet using SSL 
lo guarantee its integrity and authenticity. 

5 The card operator and reader carried out the initial DBS Triple encryption of the data 
received using the key of the indicated group of readers. Given the block size of the 
algorithm is 64 bits, the linked encryption of the two blocks is carried out in CMC mode 
(128 bits) The reader key is obtained encrypting (DKS Triple) the reader identifier with 
a master key known only to him. Then a second DKS Triple encryption is carried out 

10 (also CBC linked) using the smart card key of the ticket holder, which can be obtained, 
by encrypting the card identifier with a master key, as in the case of the reader. 1 he 
result of these two encryptions is a block of 128 bits that makes up the ticket's 
authentication code. This code is returned lo the portal also through SSL. 

IS The ticket portal generates a PDF version of the ticket, which contains the 
authentication code in two code 128 type barcodes. The reason two barcodes are used is 
' that for a printing resolution of 300 dpi, the length of a code 128 barcode is some 7j> 
mm' for approximately 64 bits of information, which corresponds to the maximum width 
admitted by inexpensive barcode readers. The codes include non-coded information 

20 thus making the reading order irrelevant. The ticket also includes a numerical 
transcription of the code information, so that in the event this deteriorates; said 
information can be manually keyed in. 

The PDF format of the ticket is sent to the purchaser, who can then immediately print 
25 this out using a standard printer. 

» When the ticket holder arrives at the entrance to the show, he hands this and the ticket to 
the doorman. The doorman reads the barcode and then brings the smart card over lo the 
reader/reader without these actually coming into direct contact. At this moment the 

30 information in the barcode is transferred to the card, which cheeks that this is no 

' already or, the list of cancelled tickets. If this is the case, the reader is informed, so hat 
the doorman can proceed as appropriate. In the event the ticket is not on the l» of 
cancelled tickets, it will be added lo this, decrypted with its key and sent to the icudu. 
T e reader then decrypts it again using its secret key and checks that the data are 

35 consistent (dale, session, sea. number, etc.). If all this coincides, the admission ticket to 
"iow will be definitively validated. Before the data are transferred between he 
reader and the card, firm, mutual challenge-based identification takes place and a 
session key that is used to encrypt the entire communication will be established. 

4() Although it is possible to employ the system using only the encryption corresponding to 
,hc card, this is not recomrnendable as the card's response can be easily replaced, which 
would considerably weaken system security. 

,t will be clear to anyone with an in-depth knowledge of the subject mailer that this 
45 method can be varied and modified in numerous different ways, and that the del Is 
72 'can be substituted for other technically equivalent ones, without straying Horn the 
scope of protection defined by the attached claims. 
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